Pulsantiera di navigazione Home Page
Pagina Facebook Pagina Linkedin Canale Youtube Italian version
News
Legal news

INFORMATION TECHNOLOGY

The European Data Protection Supervisor (EDPS) adopts the new Guidelines on generative AI and data protection.

The European Data Protection Supervisor (EDPS) has published version 2.0 of  the Guidelines on the compliant use of generative artificial intelligence systems, updating the 2024 document to reflect the technological evolution and the increase in the use of these tools by the European institutions.


The Guidelines – adopted pursuant to Regulation (EU) 2018/1725 – today represent the main reference to ensure that the use of generative AI in EU administrations respects fundamental rights and data protection principles.

The document provides practical guidance on sixteen key areas, including the definition of the roles and responsibilities of the parties involved, the choice of the legal basis for each processing step, the drafting of  dedicated DPIAs, the limitation of purposes and data minimization, the management of the quality and accuracy of information, the protection of the rights of data subjects, the prevention of algorithmic bias, IT security and full accountability.

Among the most relevant points:

  • The EDPS clarifies that the concepts of vendor, developer and deployer of the AI Regulation do not automatically coincide with the figures of controller and processor, which must be identified on a case-by-case basis.

  • The use of separate legal bases for the development and implementation phases is essential: consensus is considered exceptional, while the rule remains the public interest, provided that it is based on rules of Union law.

  • Web scraping for training purposes requires particular caution and strict compliance with the principles of lawfulness, transparency and proportionality.

  • Holders must integrate specific security measures for generative AI risks – such as prompt injection, model inversion, data poisoning – and document each stage of the system's lifecycle.

  • The role of the Data Protection Officer is central, called upon to ensure adequate technical skills, continuous participation and coordination with the other organizational functions.

  • The EU institutions must carry out a mandatory DPIA before any processing that may pose high risks to individuals' rights and maintain a full tracking of processing activities.

  • Anonymization of models is considered admissible only when the risk of re-identification is "insignificant", even in the presence of probabilistic techniques.

The new Guidelines underline the need for continuous supervision, inviting the European institutions to an approach based on documentation, transparency and constant control. The EDPS does not dictate rigid technical measures, but proposes a framework of principles that combines responsibility, proportionality and trust: essential elements for truly compliant and trustworthy AI in the European context.

Stampa la pagina